Knowledge Base

COBIT Audits for IT

COBIT is a benchmarked framework, designed, developed and continuously updated by the Information System Audit and Control Association (ISACA) for effective IT governance and management. It is a comprehensive set of guidelines that helps organizations adopt proper IT governance and control framework. While it is popular mostly in the U.S.A., the guidelines are being increasingly adopted in countries like India due to the impressive results it has provided. COBIT used to stand for Control Objectives for Information and Related Technology; with rising popularity it was decided to retain only the acronym since the 5th iteration.

Based out of Illinois, U.S.A, Information Systems Audit and Control Association, Inc. (ISACA) operates as a non-profit organization. The objective of ISACA is to offer tools and solutions for all enterprises that use information systems. ISACA serves governance, security, audit, and assurance professionals worldwide. Apart from COBIT, which is one of the most popular IT infrastructure auditing framework, the organization also offers various certifications. They include Certified Information Systems Auditor (CISA), Certified Information Systems Manager (CISM), Certified in the Governance of Enterprise Information Technology (CGEIT), and Certified in Risk and Information Systems Control (CRISC).

History of COBIT
Availability of information is vital in today’s competitive environment, and information technology (IT) plays a key role in making it available. More and more businesses today try to maintain high-quality information to support business decisions and achieve strategic goals. Realising the growing importance of IT in business, ISACA released the first version of COBIT in 1996. It was meant to give audit companies and consultants insights about IT environments. The second version of COBIT was released in 1998, with more features like high level and detailed control objectives being added. In essence, it extended the COBIT framework beyond auditing firms. Version 3 of COBIT was developed in 2000 and brought IT management and information governance techniques under its ambit. Subsequent versions of COBIT incorporated more guidelines that helped companies and auditors better control the IT infrastructure. COBIT is a top-down approach from the enterprise goals, to the derived IT goals, to their impact on IT architecture. On a broad level, COBIT has four domains which are Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. The 2012 edition of COBIT defines a total of 34 IT processes across these four domains and allocates them via 200 control objectives. Process and control objectives, activities, measurement parameters, and guidelines are described for each IT process. As of June 2020, the latest version of COBIT is COBIT 2019. ISACA dropped numerals after COBIT 5.

COBIT 2019 incorporates additions that emphasizes specifically on security, risk management, and information governance. The revised framework offers organizations flexibility for functioning smoothly. Most importantly, taking cognizance of the growing cybersecurity threats, it incorporates stricter security requirements. It not only shows how to build a governance system but also guides an organization on how to maintain it with processes, structures, policies and procedures, information flow, behaviour, and infrastructure.

Each newer version of COBIT will bring more refinements that will bring in better IT and overall governance for the organization. Auditors constantly need to re-train themselves with each new version in order to give the best possible IT guidelines to their clients.

Here are the Various COBIT Components explained in brief:
Process Descriptions: COBIT helps organizations understand the nature of all the activities that relate to IT and how to organize them. It thus acts as a reference model to describe processes like planning, building, running, and monitoring of all IT processes.

Control Objectives: The key to maintaining profitability in a technologically changing environment is how well control is maintained. COBIT’s Control objectives provide the critical insight needed to delineate a clear policy and good practice for IT controls.

Maturity Models: The COBIT maturity model allows businesses understand where they currently are, helps them decide where they need to go, and to measure the progress against that goal.

Audit Guidelines: Outlines and suggests tasks that need to be performed to achieve high-level IT control objectives, while substantiating the risk of control objectives not being met.

Principles of COBIT
COBIT is based on five key principles for governing and managing enterprise IT:
Principle 1: Meeting Stakeholder Needs – The purpose of an enterprise is to reward the stakeholder. COBIT helps by channeling IT to support business value creation

Principle 2: Covering the Enterprise End-to-End – COBIT integrates governance of enterprise IT into enterprise by treating not only IT but other related technologies as assets

Principle 3: Applying a Single Integrated Framework – COBIT aligns with other relevant standards and frameworks at a high level, serving as an overarching framework for proper governance

Principle 4: Enabling a Holistic Approach – It defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT

Principle 5: Separating Governance from Management – The framework that COBIT defines makes a clear distinction between governance and management

COBIT and Internal Audit
Since it is so comprehensive, the in-depth guidelines COBIT provides make it difficult for small and medium scale organizations to implement it in toto. Indeed, while being extremely comprehensive and one that provides clear guidelines about IT governance, actually implementing it is a tedious chore. COBIT is a particularly useful tool for assessing internal controls in a more IT-oriented environment. Since it is very elaborate, expert consultants are needed to implement COBIT properly. Whether to implement or not implement COBIT is an important decision. The decision should be taken in consultation with the top management and the internal audit team, if it is available. Small and medium businesses need help of special audit consultants to implement COBIT thoroughly. Before implementing COBIT in internal audits, the organization should train key members of the audit team on the use of COBIT, then try using it to assess internal controls on some other audit being developed and documented using internal audit techniques.

And it is important to remember that adhering to COBIT standards is only part of the internal auditing process. There is much more to auditing systems than that, but opting to use COBIT is part of a better audit process.